Solving Cloud Security – Securing Software as a Service (SaaS)

By Rob Foxx, FIPCO Information Security and Audit Advisor

Cloud Application Security Best Practices

Here are several important best practices that all SaaS customers should practice. Many of them can be implemented or made easier by the use of automated tools or “SSPM” solutions:

• Detect rogue services and compromised accounts—according to recent studies, organizations use over 1,900 unique cloud services on average, many of them unknown or unmanaged by the organization due to shadow IT. Identify all cloud services and prioritize them according to the data they store and their impact on the business.
• Apply identity and access management (IAM)—role-based IAM solutions can help ensure that users never gain access to resources they do not need to perform their jobs. IAM tools use access policies to determine what applications and files each user is allowed to access. Organizations can apply this type of role-based permission to data and ensure that end users can see only the data they are authorized to view.
• Encrypt cloud data—encryption methods turn data into meaningless code that cannot be accessed by unauthorized users. Most regulatory entities require that organizations encrypt sensitive data, when it is at rest in storage repositories and while it is in transit as it moves between environments. SaaS vendors typically provide some form of encryption—but you must ensure encryption is enabled and working correctly.
• Enforce data loss prevention (DLP)—DLP tools monitor sensitive data in SaaS applications and outgoing transmissions. These tools can block unauthorized transmissions of sensitive information, preventing leaks and theft. You should also use DLP solutions to prevent users from downloading sensitive data to personal devices, and block unauthorized attempts to access, download or delete the data.
• Monitor collaborative sharing of data—collaboration controls can help detect granular permissions on the files shared with a wide range of users, including external users who use a web link to access files. The goal of collaboration controls is to prevent employees from intentionally or inadvertently sharing confidential documents via tools like team spaces, email accounts, and storage services like Dropbox and Google Drive.
• Audit the security of service providers—According to a recent Cloud Adoption and Risk Report, (https://www.dlt.com/sites/default/files/resource-attachments/2019-09/Cloud-Cloud-Adoption-%2526-Risk-Report-2019_0_13.pdf)  70% of surveyed respondents said they trust their SaaS provider’s security, but only 8% of those SaaS vendors actually met basic security requirements. For example, only 10% provided encryption of data at rest, and only 18% supported multi-factor authentication. It is critical to audit providers, evaluate their compliance certifications, and their data protection, access control, and other security capabilities.

What is SaaS Security Posture Management (SSPM)?

The term “security posture” refers to the security status of all IT assets within an organization. This includes code repositories, Software as a Service (SaaS) applications, hardware assets, networks, data pipelines, all information, and services.

SaaS Security Posture Management (SSPM) solutions offer tools and automation capabilities that can provide visibility into the security posture of SaaS environments and make it easier to remediate security concerns in those environments.

SaaS providers follow the shared responsibility model. This means the SaaS vendor is responsible for protecting the underlying infrastructure, network traffic, operating systems (OS), hypervisor, and applications. The SaaS customer is required to protect user access and data—this is where SSPM solutions come in, providing the visibility and tooling required to adequately manage and protect user access and data in SaaS environments.

SSPM solutions may cover some or all of the following aspects of SaaS security:

• Security controls—reviewing controls implemented by the organization for the purpose of protecting SaaS applications against external and internal cyberattacks.
• Security management—providing tools and techniques to help establish, update, optimize, and apply security policies.
• Detection and response—detecting threats, mitigating incidents, and recovering from cyber attacks.

In future articles we will cover the following:

• Does Your Organization Need SaaS Security Posture Management?
• SSPM Features and Capabilities
• What is the Relation Between Cloud Access Security Brokers (CASB) and SSPM?
• SaaS Security Posture Management with Cynet 360

What is SaaS Security and Why is it Important?

SaaS security practices and tools help organizations secure corporate data and user privacy in subscription-based cloud applications. SaaS applications often hold a large amount of sensitive information. These applications allow many users to gain access to information from a wide range of devices and locations. This can introduce major privacy and security risks.

SaaS security is different

While security and IT teams are generally familiar with tools and practices designed to protect Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) environments, SaaS security requires a different approach.

SaaS applications serve different teams with varying degrees of technical expertise. Additionally, the majority of organizations use multiple SaaS applications, each with a different security structure and different levels of complexity. This can turn SaaS security into a complex and time consuming effort.

Minor involvement by security teams

In some cases, the engagement between security teams and the businesses units using SaaS applications is brief. For example, the security team may be brought in to assess the application and provide a report, and the engagement may stop there. This type of limited interaction between end users and security teams may lead to a poor security posture that leaves the organization exposed to critical security and compliance risks.

In other cases, SaaS applications are managed by an internal team focused primarily on operational functionality. This team may not have the tooling, skillset, or time required to properly secure SaaS applications. Some organizations may bring in an additional role or team to take over security responsibilities, but because there is no clear owner, security may not be implemented consistently.

These challenges emphasize the need for an automated solution that can identify, alert, and even automatically remediate SaaS security issues.

Does Your Organization Need SaaS Security Posture Management?

Many critical business systems are being migrated to SaaS. According to a Gartner report, (https://www.gartner.com/en/newsroom/press-releases/2021-04-21-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-grow-23-percent-in-2021) worldwide spending on SaaS is as much as 48% higher than the spend on infrastructure as a service (IaaS) and 106% higher than platform as a service (PaaS). Many organizations rely on a similar set of popular, strategic SaaS applications to implement common business functions. Samples of some of the most popular and common SaaS applications include; Salesforce, Microsoft 365, HubSpot, Netflix, Zoom, Zendesk.

The SaaS trend means security teams must manage and secure applications that they have no control over. Cloud security is a shared responsibility between cloud providers and customers. Most enterprise SaaS applications provide some security controls, but customers need to properly configure these applications and prevent configuration changes over time.

Security posture management may seem simple at first glance, but it can quickly get very complex, even for a small to medium organization, not to mention for a large enterprise:

• Complex configurations—modern SaaS applications have hundreds of configurations that control sensitive activities, such as the ability to share files via Microsoft 365, access customer data in Salesforce, or record video calls in Zoom. Relying on default settings is not a viable solution.
• Multiple applications—different SaaS applications, especially if provided by different vendors, have their own set of configurations and interpret common controls such as IAM and data sharing in their distinct way. IT and security teams need to understand what each application offers and how configuration settings affect the security posture.
• Multiple interfaces—configurations are typically contained in multi-layer menus in each application console. Security and IT operations teams must be familiar with the security features in each application, and be able to find them in the application configuration. In some cases, simple operations like adding or removing permission for multiple users can be inefficient and time consuming.
• Configuration drift—it is not sufficient to set a secure configuration once. To ensure there are no misconfigurations, administrators should periodically check each application and identify if there were deviations from secure configuration.

SSPM solutions can help with this complexity, by continuously assessing security risks and managing the security for SaaS applications. With SSPM, security administrators can easily understand the configuration of each application, see how to achieve a secure configuration, and ensure that applications are configured according to best practices.

At a minimum, SSPM should be able to report how SaaS security settings are currently configured and provide suggestions to reduce risk. Ideally, SSPM should be able to comprehensively test an application according to security benchmarks and perform automatic reconciliation and reconfiguration.

SSPM Features and Capabilities

Here are several key features every SSPM solution should provide:

• 24/7 monitoring—continuously monitoring and enforcing security and privacy policies for SaaS applications.
• Application support—enabling quick integration with the SaaS ecosystem of the organization, including video conferencing platforms, HR management systems, customer support tools, workspaces, dashboards, content, file-sharing applications, marketing platforms, messaging applications, and all integrated applications. The SSPM solutions should be able to detect misconfigurations or incorrect roles and privileges in any of these applications.
• Remediation—supports remediation efforts, either automatically or manually via support from the SSPM vendor. SSPM solutions that provide active remediation can improve your ability to rapidly respond to security risks.
• Built-in security benchmarks—continuously running security checks according to industry benchmarks and industry standards, and determining insecure configurations or those that represent a compliance violation. SSPM solutions should also be able to tailor security and compliance checks to the specific needs of the organization.
• Single pane of glass—displaying all security risks across all applications on one, user-friendly dashboard. All stakeholders, including application users, IT and security staff, should be able to understand security risks and receive actionable information to remediate them.

What is the Relation Between Cloud Access Security Brokers (CASB) and SSPM?

A Cloud Access Security Broker (CASB) is a broadly adopted security solution, which acts as a bridge between end users and cloud providers. It improves visibility over application traffic, and applies consistent security policies across on-premise, SaaS, PaaS, and IaaS environments.

Many CASB vendors are adding SSPM and cloud security posture management (CSPM) to their products. There are three advantages to the convergence between CASB and SSPM solutions:

• Multi cloud—CASB solutions are typically integrated with multiple cloud providers, extending SSPM to multiple clouds.
• Mobile and BYOD—CASB solutions are agnostic to the user device, meaning they can provide visibility and control for any device accessing a SaaS application, including mobile devices, personal, unmanaged devices (bring your own device) and devices owned by partners, contractors or other third parties.
• Remote work—increasingly, SaaS applications are being accessed remotely and not from a secured office location. Virtual Private Networks (VPN) are not a viable solution for accessing SaaS applications remotely, yet CASB can provide effective secure access for remote workers.

Contact FIPCO for more information about SaaS Security Posture Management solutions:

An SSPM solution ensures that SaaS applications are properly configured to protect them from compromise. The solution continuously monitors SaaS applications to identify gaps between stated security policies and actual security posture, letting you automatically find and fix security risks in SaaS assets, and automatically prioritize risks and misconfigurations by severity.

SSPM provides:

• Automatic tracking of SaaS risks – tracks security posture across all SaaS platforms, prioritized by risk category, tracked over time directly from the a centralized dashboard.
• Automatic analysis and fix in one click – drills down to provide details and insights about every identified risk, recommends remediation actions, and applies them automatically.

Contact Rob Foxx at FIPCO for more information.